lxd-to-incus not working with headless server

[mcondarelli]

Required information

• Distribution: Debian
• Distribution version: Bookworm

• The output of "incus info":

    root@lxd:~# incus info
    If this is your first time running Incus on this machine, you should also run: incus admin init
    To start your first container, try: incus launch images:ubuntu/22.04
    Or for a virtual machine: incus launch images:ubuntu/22.04 --vm
  
    config: {}
    api_extensions:
    - storage_zfs_remove_snapshots
    - container_host_shutdown_timeout
    - container_stop_priority
    - container_syscall_filtering
    - auth_pki
    - container_last_used_at
    - etag
    - patch
    - usb_devices
    - https_allowed_credentials
    - image_compression_algorithm
    - directory_manipulation
    - container_cpu_time
    - storage_zfs_use_refquota
    - storage_lvm_mount_options
    - network
    - profile_usedby
    - container_push
    - container_exec_recording
    - certificate_update
    - container_exec_signal_handling
    - gpu_devices
    - container_image_properties
    - migration_progress
    - id_map
    - network_firewall_filtering
    - network_routes
    - storage
    - file_delete
    - file_append
    - network_dhcp_expiry
    - storage_lvm_vg_rename
    - storage_lvm_thinpool_rename
    - network_vlan
    - image_create_aliases
    - container_stateless_copy
    - container_only_migration
    - storage_zfs_clone_copy
    - unix_device_rename
    - storage_lvm_use_thinpool
    - storage_rsync_bwlimit
    - network_vxlan_interface
    - storage_btrfs_mount_options
    - entity_description
    - image_force_refresh
    - storage_lvm_lv_resizing
    - id_map_base
    - file_symlinks
    - container_push_target
    - network_vlan_physical
    - storage_images_delete
    - container_edit_metadata
    - container_snapshot_stateful_migration
    - storage_driver_ceph
    - storage_ceph_user_name
    - resource_limits
    - storage_volatile_initial_source
    - storage_ceph_force_osd_reuse
    - storage_block_filesystem_btrfs
    - resources
    - kernel_limits
    - storage_api_volume_rename
    - network_sriov
    - console
    - restrict_dev_incus
    - migration_pre_copy
    - infiniband
    - dev_incus_events
    - proxy
    - network_dhcp_gateway
    - file_get_symlink
    - network_leases
    - unix_device_hotplug
    - storage_api_local_volume_handling
    - operation_description
    - clustering
    - event_lifecycle
    - storage_api_remote_volume_handling
    - nvidia_runtime
    - container_mount_propagation
    - container_backup
    - dev_incus_images
    - container_local_cross_pool_handling
    - proxy_unix
    - proxy_udp
    - clustering_join
    - proxy_tcp_udp_multi_port_handling
    - network_state
    - proxy_unix_dac_properties
    - container_protection_delete
    - unix_priv_drop
    - pprof_http
    - proxy_haproxy_protocol
    - network_hwaddr
    - proxy_nat
    - network_nat_order
    - container_full
    - backup_compression
    - nvidia_runtime_config
    - storage_api_volume_snapshots
    - storage_unmapped
    - projects
    - network_vxlan_ttl
    - container_incremental_copy
    - usb_optional_vendorid
    - snapshot_scheduling
    - snapshot_schedule_aliases
    - container_copy_project
    - clustering_server_address
    - clustering_image_replication
    - container_protection_shift
    - snapshot_expiry
    - container_backup_override_pool
    - snapshot_expiry_creation
    - network_leases_location
    - resources_cpu_socket
    - resources_gpu
    - resources_numa
    - kernel_features
    - id_map_current
    - event_location
    - storage_api_remote_volume_snapshots
    - network_nat_address
    - container_nic_routes
    - cluster_internal_copy
    - seccomp_notify
    - lxc_features
    - container_nic_ipvlan
    - network_vlan_sriov
    - storage_cephfs
    - container_nic_ipfilter
    - resources_v2
    - container_exec_user_group_cwd
    - container_syscall_intercept
    - container_disk_shift
    - storage_shifted
    - resources_infiniband
    - daemon_storage
    - instances
    - image_types
    - resources_disk_sata
    - clustering_roles
    - images_expiry
    - resources_network_firmware
    - backup_compression_algorithm
    - ceph_data_pool_name
    - container_syscall_intercept_mount
    - compression_squashfs
    - container_raw_mount
    - container_nic_routed
    - container_syscall_intercept_mount_fuse
    - container_disk_ceph
    - virtual-machines
    - image_profiles
    - clustering_architecture
    - resources_disk_id
    - storage_lvm_stripes
    - vm_boot_priority
    - unix_hotplug_devices
    - api_filtering
    - instance_nic_network
    - clustering_sizing
    - firewall_driver
    - projects_limits
    - container_syscall_intercept_hugetlbfs
    - limits_hugepages
    - container_nic_routed_gateway
    - projects_restrictions
    - custom_volume_snapshot_expiry
    - volume_snapshot_scheduling
    - trust_ca_certificates
    - snapshot_disk_usage
    - clustering_edit_roles
    - container_nic_routed_host_address
    - container_nic_ipvlan_gateway
    - resources_usb_pci
    - resources_cpu_threads_numa
    - resources_cpu_core_die
    - api_os
    - container_nic_routed_host_table
    - container_nic_ipvlan_host_table
    - container_nic_ipvlan_mode
    - resources_system
    - images_push_relay
    - network_dns_search
    - container_nic_routed_limits
    - instance_nic_bridged_vlan
    - network_state_bond_bridge
    - usedby_consistency
    - custom_block_volumes
    - clustering_failure_domains
    - resources_gpu_mdev
    - console_vga_type
    - projects_limits_disk
    - network_type_macvlan
    - network_type_sriov
    - container_syscall_intercept_bpf_devices
    - network_type_ovn
    - projects_networks
    - projects_networks_restricted_uplinks
    - custom_volume_backup
    - backup_override_name
    - storage_rsync_compression
    - network_type_physical
    - network_ovn_external_subnets
    - network_ovn_nat
    - network_ovn_external_routes_remove
    - tpm_device_type
    - storage_zfs_clone_copy_rebase
    - gpu_mdev
    - resources_pci_iommu
    - resources_network_usb
    - resources_disk_address
    - network_physical_ovn_ingress_mode
    - network_ovn_dhcp
    - network_physical_routes_anycast
    - projects_limits_instances
    - network_state_vlan
    - instance_nic_bridged_port_isolation
    - instance_bulk_state_change
    - network_gvrp
    - instance_pool_move
    - gpu_sriov
    - pci_device_type
    - storage_volume_state
    - network_acl
    - migration_stateful
    - disk_state_quota
    - storage_ceph_features
    - projects_compression
    - projects_images_remote_cache_expiry
    - certificate_project
    - network_ovn_acl
    - projects_images_auto_update
    - projects_restricted_cluster_target
    - images_default_architecture
    - network_ovn_acl_defaults
    - gpu_mig
    - project_usage
    - network_bridge_acl
    - warnings
    - projects_restricted_backups_and_snapshots
    - clustering_join_token
    - clustering_description
    - server_trusted_proxy
    - clustering_update_cert
    - storage_api_project
    - server_instance_driver_operational
    - server_supported_storage_drivers
    - event_lifecycle_requestor_address
    - resources_gpu_usb
    - clustering_evacuation
    - network_ovn_nat_address
    - network_bgp
    - network_forward
    - custom_volume_refresh
    - network_counters_errors_dropped
    - metrics
    - image_source_project
    - clustering_config
    - network_peer
    - linux_sysctl
    - network_dns
    - ovn_nic_acceleration
    - certificate_self_renewal
    - instance_project_move
    - storage_volume_project_move
    - cloud_init
    - network_dns_nat
    - database_leader
    - instance_all_projects
    - clustering_groups
    - ceph_rbd_du
    - instance_get_full
    - qemu_metrics
    - gpu_mig_uuid
    - event_project
    - clustering_evacuation_live
    - instance_allow_inconsistent_copy
    - network_state_ovn
    - storage_volume_api_filtering
    - image_restrictions
    - storage_zfs_export
    - network_dns_records
    - storage_zfs_reserve_space
    - network_acl_log
    - storage_zfs_blocksize
    - metrics_cpu_seconds
    - instance_snapshot_never
    - certificate_token
    - instance_nic_routed_neighbor_probe
    - event_hub
    - agent_nic_config
    - projects_restricted_intercept
    - metrics_authentication
    - images_target_project
    - cluster_migration_inconsistent_copy
    - cluster_ovn_chassis
    - container_syscall_intercept_sched_setscheduler
    - storage_lvm_thinpool_metadata_size
    - storage_volume_state_total
    - instance_file_head
    - instances_nic_host_name
    - image_copy_profile
    - container_syscall_intercept_sysinfo
    - clustering_evacuation_mode
    - resources_pci_vpd
    - qemu_raw_conf
    - storage_cephfs_fscache
    - network_load_balancer
    - vsock_api
    - instance_ready_state
    - network_bgp_holdtime
    - storage_volumes_all_projects
    - metrics_memory_oom_total
    - storage_buckets
    - storage_buckets_create_credentials
    - metrics_cpu_effective_total
    - projects_networks_restricted_access
    - storage_buckets_local
    - loki
    - acme
    - internal_metrics
    - cluster_join_token_expiry
    - remote_token_expiry
    - init_preseed
    - storage_volumes_created_at
    - cpu_hotplug
    - projects_networks_zones
    - network_txqueuelen
    - cluster_member_state
    - instances_placement_scriptlet
    - storage_pool_source_wipe
    - zfs_block_mode
    - instance_generation_id
    - disk_io_cache
    - amd_sev
    - storage_pool_loop_resize
    - migration_vm_live
    - ovn_nic_nesting
    - oidc
    - network_ovn_l3only
    - ovn_nic_acceleration_vdpa
    - cluster_healing
    - instances_state_total
    - auth_user
    - security_csm
    - instances_rebuild
    - numa_cpu_placement
    - custom_volume_iso
    - network_allocations
    - zfs_delegate
    - storage_api_remote_volume_snapshot_copy
    - operations_get_query_all_projects
    - metadata_configuration
    - syslog_socket
    - event_lifecycle_name_and_project
    - instances_nic_limits_priority
    - disk_initial_volume_configuration
    - operation_wait
    - image_restriction_privileged
    - cluster_internal_custom_volume_copy
    - disk_io_bus
    - storage_cephfs_create_missing
    - instance_move_config
    - ovn_ssl_config
    - certificate_description
    api_status: stable
    api_version: "1.0"
    auth: trusted
    public: false
    auth_methods:
    - tls
    auth_user_name: root
    auth_user_method: unix
    environment:
      addresses: []
      architectures:
      - x86_64
      - i686
      certificate: |
        -----BEGIN CERTIFICATE-----
        MIIB9DCCAXqgAwIBAgIQNlJPKmRRC0XMBDS+Xiv3iTAKBggqhkjOPQQDAzAuMRkw
        FwYDVQQKExBMaW51eCBDb250YWluZXJzMREwDwYDVQQDDAhyb290QGx4ZDAeFw0y
        MzEyMjcxMjQyMzNaFw0zMzEyMjQxMjQyMzNaMC4xGTAXBgNVBAoTEExpbnV4IENv
        bnRhaW5lcnMxETAPBgNVBAMMCHJvb3RAbHhkMHYwEAYHKoZIzj0CAQYFK4EEACID
        YgAEn1xoWBZqPMjIMKII0uN68kFQf2NkRgZsQvIfWzM1jVNNvBHrUT0J6XzWjkr0
        mcxzVKMEVd4cNX1+pHk+RTesW7cD9pCeQPn/ncTxiN0fRdg6kIVrtTXnNoBb1Z1t
        ujp4o10wWzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYD
        VR0TAQH/BAIwADAmBgNVHREEHzAdggNseGSHBH8AAAGHEAAAAAAAAAAAAAAAAAAA
        AAEwCgYIKoZIzj0EAwMDaAAwZQIwCF8ImaFMsHumgbK6L07trlEKE2IHE5VFuu+m
        7MSQMTPHd3JZ4I9LBvmFHIkoqnXxAjEA3eq1YpS4NC22pu5PGUJ8ptbQEe3H1cUc
        +LF3vqDpvsBWoBpA6eyVZ5QLANVp0Qkv
        -----END CERTIFICATE-----
      certificate_fingerprint: 8250f470b0351991c5f0f67ca2faacb92225dc8d60e013b0faf67daa9b6f060a
      driver: qemu | lxc
      driver_version: 8.1.3 | 5.0.3
      firewall: nftables
      kernel: Linux
      kernel_architecture: x86_64
      kernel_features:
        idmapped_mounts: "true"
        netnsid_getifaddrs: "true"
        seccomp_listener: "true"
        seccomp_listener_continue: "true"
        uevent_injection: "true"
        unpriv_fscaps: "true"
      kernel_version: 6.1.0-16-amd64
      lxc_features:
        cgroup2: "true"
        core_scheduling: "true"
        devpts_fd: "true"
        idmapped_mounts_v2: "true"
        mount_injection_file: "true"
        network_gateway_device_route: "true"
        network_ipvlan: "true"
        network_l2proxy: "true"
        network_phys_macvlan_mtu: "true"
        network_veth_router: "true"
        pidfd: "true"
        seccomp_allow_deny_syntax: "true"
        seccomp_notify: "true"
        seccomp_proxy_send_notify_fd: "true"
      os_name: Debian GNU/Linux
      os_version: "12"
      project: default
      server: incus
      server_clustered: false
      server_event_mode: full-mesh
      server_name: lxd
      server_pid: 182028
      server_version: "0.4"
      storage: ""
      storage_version: ""
      storage_supported_drivers:
      - name: btrfs
        version: "6.2"
        remote: false
      - name: dir
        version: "1"
        remote: false

Issue description

I tried to follow instructions but I hit an error:

root@lxd:~# lxd-to-incus 
=> Looking for source server
==> Detected: .deb package
=> Looking for target server
==> Detected: systemd
=> Connecting to source server
=> Connecting to the target server
=> Checking server versions
==> Source version: 5.0.2
==> Target version: 0.4
=> Validating version compatibility
=> Checking that the source server isn't empty
=> Checking that the target server is empty
=> Validating source server configuration

Source server uses obsolete features:
 - Source server is using deprecated key "core.trust_password"
Error: Source server is using incompatible configuration

I assume there's some problem in transporting certificate, but I'm unsure how to proceed. Documentation includes a relevant, but rather terse, paragraph:

The tool will also look for any configuration that is incompatible with Incus and fail before any data is migrated.

A slightly expanded version about how to overcome possible problems would be highly appreciated.

I willing to write it, if someone tells me what should I do in this specific case.

Steps to reproduce

1. Have a working LXD installation remotely manageable. Note: I issued:

   mcon@lxd:~$ lxc config trust add
   To start your first container, try: lxc launch ubuntu:22.04
   Or for a virtual machine: lxc launch ubuntu:22.04 --vm
   
   Please provide client name: cinderella
   Client cinderella certificate add token:
   eyJjbGl...many more chars...wWiJ9

   to be able to remotely manage from cinderella.

2. Install Incus (daily 27/12/2023, if it matters)
3. Run lxd-to-incus

[stgraber]

- Source server is using deprecated key "core.trust_password"

That gets solved by unsetting that config key with lxc config unset core.trust_password

[mcondarelli]

Thanks @stgraber, Can you confirm that will not impair my ability to control that server (lxd) from outside (cinderella)? I do not remember explicitly setting that variable (I assume it was implicitly set when I issued lxc config trust add). I am (was) unsure if it is needed or not. If it is "not used anymore" as I seem to understand we can close this. I will reopen (or open a new one) if I get further errors in lxd-to-incus

To be clear, I will:

1. remove variable with lxc config unset core.trust_password
2. run again lxd-to-incus
3. expect to be able to control Incus server using the same certificate as before (or should I re-run incus config trust add?)

[stgraber]

The certificate will be kept as part of the migration.

core.trust_password is a very unsafe way to add clients to a server which predates the current token based method (incus config trust add).

So there's no real reason why anyone would still want to use that, it's just that LXD can't remove it due to API backward compatibility concerns. With Incus we just decided not to offer it from the start.

[knutov]

core.trust_password is simple to use and acceptable/secure enough in some situations.

It's sad it was removed from Incus, I used it a lot and have many scripts that requires core.trust_password.

[stgraber]

Trust tokens work almost the same way except that they can only be used a single time and can be easily revoked and controlled on the server side.

If you absolutely need to have a fixed credential, your other option would be to generate a client certificate, add that to the server trust store and then just use that client certificate on all the clients you need it to.

It's still not great security wise but you'll still avoid brute force attacks and can still revoke the whole thing easily enough.

A variation on that option would be to use the PKI mode instead. Which then allows you to generate as many client certificates as you want and have them be automatically allowed to interact with Incus so long as they're signed by the CA that Incus is using.